11

I am currently deploying an R Shiny app to Azure App Service, and restricting access via Active Directory integration (which seems to use the Azure easyauth proxy under the hood).

When I deploy the rocker/shiny:3.6.0 or rocker/shiny:4.0.0 container to simply see the "hello world" page the deployment is successful.

When I turn on Active Directory Authentication, the website hangs, then returns a 500.

I have attached the error log at the bottom of this message, but I don't think it has any useful information with respect to things I have control over.

Further investigation shows that if I deploy rocker:shiny:3.5.2 or below, everything works as expected. If I deploy rocker/shiny:3.6.0 or above, I get a 500 and the website hangs.

Deploying rocker/shiny:3.5.3 results in the symptoms reported in these questions:

So I am fairly sure the root cause is different.

To me this indicates changes in the rocker/shiny:3.6.0 packages and above which is stopping the authentication from working, but I am afraid this is where my debugging ability stops!

My questions are - am I actually just doing something wrong, is this a known issue, and how do I report it (and to who?!).

Thanks for any help,

Akhil

App Service Error Message

fail: Middleware[0]
      Unhandled exception in request pipeline: System.Net.Http.HttpRequestException: An error occurred while sending the request.
       ---> System.IO.IOException: The response ended prematurely.
         at System.Net.Http.HttpConnection.FillAsync()
         at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed)
         at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)
         --- End of inner exception stack trace ---
         at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)
         at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
         at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
         at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
         at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
         at Microsoft.Azure.AppService.MiddlewareShim.Startup.ForwardRequestAsync(HttpContext context) in /EasyAuth/Middleware.Host/Startup.cs:line 197
         at Microsoft.Azure.AppService.MiddlewareShim.Startup.OnRequest(HttpContext context) in /EasyAuth/Middleware.Host/Startup.cs:line 151
fail: Microsoft.AspNetCore.Server.Kestrel[13]
      Connection id "...", Request id "...": An unhandled exception was thrown by the application.
System.Net.Http.HttpRequestException: An error occurred while sending the request.
 ---> System.IO.IOException: The response ended prematurely.
   at System.Net.Http.HttpConnection.FillAsync()
   at System.Net.Http.HttpConnection.ReadNextResponseHeaderLineAsync(Boolean foldedHeadersAllowed)
   at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.HttpConnection.SendAsyncCore(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithNtConnectionAuthAsync(HttpConnection connection, HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at Microsoft.Azure.AppService.MiddlewareShim.Startup.ForwardRequestAsync(HttpContext context) in /EasyAuth/Middleware.Host/Startup.cs:line 197
   at Microsoft.Azure.AppService.MiddlewareShim.Startup.OnRequest(HttpContext context) in /EasyAuth/Middleware.Host/Startup.cs:line 151
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application
Akhil Nair
  • 3,144
  • 1
  • 17
  • 32
  • 2 months later with `rocker/shiny-verse:latest` I hit the same issue from a different avenue. Using `3.5.2` solved this again. – Akhil Nair Feb 05 '21 at 11:19

1 Answers1

4

There is a known issue where some recent versions of node (or some other webservers) has a maximum capacity of 8KB for headers.

When you enable EasyAuth, it adds some large headers to the request.

To overcome this, you can use on of the 2 solutions:

1. Use WEBSITE_AUTH_DISABLE_IDENTITY_FLOW App Settings

When this variable is set to true it disables assigning the thread principal identity, which will remove one of the largest headers added to the request X-MS-CLIENT-PRINCIPAL, which is generally used by .NET Framework and Function apps.

However, it contains the same claims as the id_token. A Base64-encoded JSON object that we can decode to get the information. If you want access to the id_token JWT directly, you can use X-MS-TOKEN-AAD-ID-TOKEN header.

Reference: https://github.com/cgillum/easyauth/wiki/Advanced-Application-Settings

2. Raise the limit of the header size

This can be done using the NODE_OPTIONS variable, as described in the following github issue here.

Example: NODE_OPTIONS=--max-http-header-size=16384

Saif Badran
  • 326
  • 4
  • 14